Service Token authentication not working over HTTPS

I have created a “Self-Hosted” Application in Zero Trust Access for a website proxied via Cloudflare, and am trying to configure it to allow access for a service token.

I have created a Service Token, and a single “Service Auth” policy with an “Include” rule for the service token:

However attempting to access the website using the service token ID and secret e.g. with curl results in a 403 response:

curl -v https://xxxxxxxxxx/ -H 'CF-Access-Client-Id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.access' -H 'CF-Access-Client-Secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'

Should this work? If so, what am I doing wrong?

1 Like

Hi i have the exact same problem. I have been trying to solve the problem for 3 hours now

Okay i found the solution.
Go to Applications->choose any of yours->Settings
than active Access-Control-Allow-Credentials and Access-Control-Allow-Methods(Allow all methods) and save settings. If it is working now you can both turn off again. I dont know why but after i did these settings it worked.

I can’t even add dose settings without getting, “Error configuring your application: Access api error invalid_request: invalid CORS origins”